Neelie Kroes has made another speech: Taking care of the Internet.
It’s another act of political ambiguity full of high-sounding phrases that mean nothing. Even the title is ambiguous: taking care as in nurturing, or taking care as in solving a problem? She has this vision of the internet, her ‘Internet Essentials’. She calls it her ‘Compact for the internet’:
One Internet that is
Architecturally sound, inspiring
It’s nothing more than a contorted sound bite, and when policy is forced into suiting a sound bite we do not get good governance. (Being mono-lingual I can only guess at the effort that has to go into producing multi-lingual sound bite anagrams – or do we have different policies to suit different languages?)
But basically it is the traditional eurocrat speech: I’m good, I believe in freedom, but I may have to exercise control for the benefit of everyone. One paragraph, a single sentence, stands out as being full of platitudinal menace:
Ultimately, different actors have different fields of expertise and responsibility: that must be respected, and due weight must be given accordingly.
That sounds to me like the nail in the coffin of net neutrality.
In politics, one good sound bite is worth a thousand good deeds; and the truth gets mislaid in the middle. This is what happened when Neelie Kroes tweeted: “Me recycling computers at the WEEE centre, #Nairobi http://t.co/FquRE13U”. And there’s another photo of her with a crowd of schoolkids. Africa, kids, recycling… What could be better?
The truth could be better; and the truth is that while recycling is good, re-using is better.
The EU WEEE Directive requires responsible decommissioning for old computers. You can’t just dump them in landfill – that’s irresponsible, dangerous and illegal. So to help responsible decommissioning, manufacturers pay a levy for every computer they sell. This levy then funds the Producer Compliance Schemes, which decommission defunct hardware responsibly – and legally. The problem is that WEEE is passively promoting recycling rather than actively promoting re-use. Consider this:
- High levels of product replacement and the concentration of energy intensity in the ICT production rather than use phase (80 and 20 percent, respectively) means that any activity that extends the life of ICTs–such as reuse–should be prioritised
- Reusing working computers is up to 20 times more energy-efficient than recycling them. Also, reuse has lower resource depletion costs than recycling. Thus, the waste hierarchy, which has reuse as more environmentally beneficial than recycling, equally applies to unwanted ICTs as to other wastes
ICT and the Environment
Change may happen. An amendment to the WEEE Directive is under discussion, and may come to fruition next month (October 2011); and come into UK law next year. The aim is to set a target of 5% re-use on old hardware. Five per cent! Anja ffrench, the director of marketing and communications at Computer Aid (a charity that concentrates on re-using rather than recycling) is too much of a lady to complain. “The European Parliament is proposing a 5% re-use target, which we would most definitely welcome,” she says – although the reality is it should be a 75% target.
“Computer Aid,” she told me, “is a WEEE-authorised treatment facility approved by the Environment Agency to take in equipment for re-use. We’re not signed up to any Producer Compliance Scheme – although we use DHL, which does belong to the Producer Compliance Schemes, for any recycling we have to do. So we’re a part of WEEE without directly being a WEEE compliance scheme.”
When you consider the cost of recycling in order to recover a fairly minimal value from the valuable metals contained, combined with the energy cost of manufacturing a new computer, then there is a clear environmental argument in favour of re-use. “And if you donate to a charity like Computer Aid,” continued Anja, “then there is a social argument as well. We take full legal liability for all of the equipment donated to us. We use Ontrack to data wipe all laptops, desktops, servers, and base units – and if for any reason we can’t do that, the disks are crushed and melted. Then it goes to a good cause.” And it’s all certified and guaranteed.
So you can donate to a good cause and have confidence that you are simultaneously destroying any data accidentally left on your systems. Everything that is reusable finds a deserving and needy home, and you can check this on Computer Aid’s Flickr streams.
“We have a waiting list right now for donations of old computers,” said Anja. “We have a continuous need for computers, laptops and monitors.” So, if you want the satisfaction that comes from combining environmental friendliness with legal compliance and adding more than a sprinkling of the warm, fuzzy feeling you get for doing absolutely the right thing, call Computer Aid now on +44 (0) 208 361 5540. Decommissioning should be more re-using than recycling.
I was talking to Uri Rivner – as one does – about the future of security. Uri is Head of New Technologies, Identity Protection at RSA; and knows a thing or two.
But first a background. Security isn’t working. Ask Google or Sony or Nintendo or Mitsubishi or, indeed, RSA. Nobody is saying we need to chuck out all our existing security products and processes; but we need to do more to make it work. And that’s what we were talking about.
“Two things.” said Uri. “Firstly, in the future you will see more advanced analytics: automated detection systems, like the on-line banking fraud detections systems or online credit card fraud detection systems. We will see things that are automated and will learn, rather than have to rely on the rules that an expert writes.” At the moment, much of our attack detection is based on the rule definitions of our security experts; and it is difficult to write a rule to detect something we’ve never seen before. “Computers,” added Uri, “are much better at finding software attacks.”
Hold on to that thought: the future of security is in advanced, intelligent, automated analytics.
“Secondly,” he continued, “the future will include data sharing. Corporates today just don’t share their data with anyone else. If you are under attack, you’re on your own. But the future will have to include some level of data sharing in realtime. There will have to be some way to collaborate in realtime, so that rather than relying just on your own security operatives, you actually rely on the industry’s wisdom to help you find these attacks. In many cases the attackers don’t go after a single specific target; they go after lots of targets within a certain industry or country. So it will be crucial to share data in realtime.
“How will we do it? As always, the devil is in the detail. Not all of the technologies or directions are ready yet. There are tools and technologies that are being deployed as we speak, but I would say that it will take the industry a couple of years to actually do something that has a fighting chance against APT-type attacks.”
There are indeed many problems; not least the reluctance of one company to share information with another company that might be, or become a competitor. Government seems to be a good starting point, where inter-departmental co-operation can be mandated before ultimately evolving into inter-governmental collaboration. But governments are naturally secretive: they believe their function is to gather intelligence, not to share it out. And then there’s the legal pitfalls of multiple legal jurisdictions, each with subtly different data protection requirements.
But Uri insists on both the necessity and inevitability of data sharing. “The idea is not,” he continued, “to configure a big shared repository and say, hey, we’re under attack. We have to be more subtle. We have to abstract the data, anonymise the data, and we have to do all the things that will make it even legal to share data between competing operations and different countries. But the bottom line is this: we have to do it; it’s a must.
“Ask any US CISO,” he continued. “The USA has been heavily attacked over the last 18 months, and all the CISOs agree: we want to share data, we want it at machine speed and in realtime, and we don’t want to share it several days later. So we need to work out how we can do this and be both legal and practical. It will happen at some point. The banking sector is already doing this. They actually share data in realtime. Not everybody knows this, but it’s one of the measures the banking sector has already taken. If bank A is being attacked – I’m talking about financial fraud here, not APT – by some hacker or criminal and they learn about it, automatically it goes into a central repository which means that everyone is now protected from this attack. There are ways to solve this sort of thing. Exposure, legal issues, customer trust issues – there are ways to share data.”
So the future of security is in the combination of large-scale automatic and intelligent analytics with wide-scale security data sharing. Now here’s a co-incidence, and it really is purely a co-incidence: on Thursday a new security product that fulfils the first and could be used for the latter will be announced. I’ll tell you more about that on Thursday.
Mark this day and keep it clear: Tuesday 27 September. That’s this coming Tuesday. It’s the day of Infosecurity’s Autumn Virtual Conference. And it’s packed full of goodies: secure software development, responsible breach disclosure, tablets in the enterprise, governance and compliance, e-crime, a career in security and, of course, APTs.
And the speakers! Marc van Zadelhoff, Director of Strategy at IBM Security Solutions; Professor John Walker; Microsoft’s Jeremy Dallman; Raj Samani, Strategy Advisor for the Cloud Security Alliance and CTO EMEA at McAfee; Chenxi Wang from Forrester; Paul Simmonds, co-founder of the Jericho Forum; and many more.
Oh yes. And me. E-crime. 11:00am. 27 September. Be there.
The European Data Protection Supervisor is like Cnut facing down a tide of bureaucratic encroachment into our privacy
I should preface this post with two comments:
- My degree is in English Language and Literature. This leaves me sadly unqualified to understand European legalese, for which the minimum of a two-one in Contorted Logic is required.
- I like Peter Hustinx. I respect the European Data Protection Supervisor. But I cannot see him as anything other than a latter-day Cnut merely demonstrating that nothing can stop the tide of bureaucratic incursion into our personal privacy.
It is with this background that I looked at his latest ‘Opinion’ on the Proposal for a Regulation of the European Parliament and of the Council on European statistics on safety from crime. I own that I struggled as much to understand it as I did to stay awake; and had little success with either.
Article 8(2) to (4) of Directive 95/46/EC and Article 10(2) to (4) of Regulation (EC) No 45/2001 contain exceptions to the prohibition of processing these categories of data. In the present case, Article 8(4) of Directive 95/46/EC and Article 10(4) of Regulation (EC) No 45/2001, which allow the processing of such data for reasons of “substantial public interest”, could apply.
So I readily admit that I have not a clue what this Opinion is about, other than it appears that the EDPS is exhorting the EU to obey EU laws. And that might be the problem. EU law is a complex, contradictory mess. It can be accepted by most people that personal data can be kept private by making it anonymous. If data cannot be associated with any particular individual, then that personal data is confidential and effectively remains anonymous.
The problem is, the EU doesn’t seem to understand what this means.
As regards the possibility of identifying data subjects, two different notions are relevant in the EU legislation on statistics: “confidential data” and “anonymous data”. According to Regulation (EC) No 223/2009, data which allow statistical units (which might be natural persons, households, economic operators or other undertakings) to be “identified, either directly or indirectly”, are considered “confidential data” and are therefore subject to statistical confidentiality. However, Regulation (EC) No 831/2002 defines confidential data as data “which allow only indirect identification”.
Throughout this Opinion, poor Mr Hustinx has continually to specify which piece of EU legislation to which the EU should, in his opinion, adhere. That much is simply a farce. But the actual definition of legal anonymity beggars belief:
…the definition provided in Recital 26 of Directive 95/46/EC and Recital 8 of Regulation (EC) No 45/2001, according to which personal data are “rendered anonymous” when the data subject is “no longer” identifiable, taking into account “all the means likely reasonably to be used either by the controller or by any other person to identify the said person”
I have no idea what this means. But this is what it sounds like to me: anonymous does not legally mean anonymous, it means obfuscated. And obfuscation can be described as anonymous if the process of clarification would defeat the script kiddie in his bedroom. This means that data is still defined as legally anonymous even though it is not anonymous to the supercomputers of our own and/or foreign law enforcement or other agencies; or any other person or organization willing to use more resources than is likely reasonably to be used. In short, anonymous is meaningless.
So the moral of this little post is simple. If any European agency asks for your personal data and promises anonymity, don’t give it up. Europe lies in the classic Orwellian fashion: it redefines the truth.
I’ve commented on Neelie Kroes’ and Viviane Reding’s EU desire to get more women into the higher echelons of business (Net neutrality and business gender neutrality in the EU) and absolutely endorse the intent. Here in the UK we have our own poor man’s (sorry about the sexism) Kroes/Reding double act in the Harman/Cooper comedy pairing.
Tomorrow, with thanks to Guido pointing to the excellent WomenOn blog, Harman/Cooper will be hosting a ladies-only meeting + Ed Miliband. Guido, of course, sees the funny side of things:
…Harriet Harman and Yvette Cooper are hosting a ‘What Women Want’ meeting tomorrow at Labour Party conference. What they apparently don’t want is men at the meeting. However Mrs Dromey and Mrs Balls are giving Ed Miliband a sex change for the day and making him an honorary woman so that he can address the meeting of the wimmin.
Ed Miliband to Have Sex Change Tomorrow
WomenOn sees the tragic side:
This is an outrage… It makes all those involved look out-of-touch, but more importantly, it does untold damage to the cause of equality for women. Why should men support equality for women if they are treated in this way?
Men, know your place! Harriet Harman doesn’t want to hear you
And that’s what it is: funny and tragic. The tragedy is that serious businessmen will continue to consider women as a lunatic fringe. All the good work done by Kroes/Reding, and indeed WomenOn, will be undone by the absurdly funny Harman/Cooper double act.
Concern is growing that Microsoft might be trying to pull a fast one. Windows 8, shipped with new PCs, is quite likely to lock out any other operating system on that PC. You can get more technical details from the blog of Matthew Garrett:
A system that ships with only OEM and Microsoft keys will not boot a generic copy of Linux.
UEFI secure booting
Ross Anderson also discusses the issue:
There seems to be an attempt to revive the “Trusted Computing” agenda. The vehicle this time is UEFI which sets the standards for the PC BIOS. Proposed changes to the UEFI firmware spec would enable (in fact require) next-generation PC firmware to only boot an image signed by a keychain rooted in keys built into the PC. I hear that Microsoft (and others) are pushing for this to be mandatory, so that it cannot be disabled by the user, and it would be required for OS badging.
Trusted Computing 2.0
But we needn’t worry, because EDRi points out that it would all be illegal in Europe:
This measure would be illegal according the EU competition law, such as article 102 of the EU Treaty, as it would give the possibility for a company to leverage a dominant position on one market (operating systems) in order to become dominant on another market (hardware).
Free operating systems might be blocked by Windows 8
Isn’t it reassuring (not – if you don’t recognise sarcasm) that the EU has such a strong record in enforcing its laws against big business. Apple will be rubbing its hands in glee with the thought that disgruntled PC users might flock to Mac and its Boot Camp software (which allows disk segregation to run Windows on the same system). Better still, if Microsoft persists with this idea, vote with your feet and migrate to Mac or Linux or anything that isn’t Microsoft.
I give you two blogs. The first is Slog (a contraction of ‘the bollocks log’) from the pen of John Ward. The second is Informationlaw, from the pen of Ibrahim Hasan, a lawyer specialising in information law including data protection, freedom of information and surveillance law.
From the first I give you the quote of the year:
You see, while the EU is deluded, disorganised, retarded and obese, it will never match the UK for stark-staring intelligent madness. As and when the EU finally implodes, this means we can go back to being global brand leader in bollocks.
Intelligent British bollocks will soon be a world leader once again
And from the second a discussion on how the government intends to remove some of the madness from the Regulation of Investigatory Powers Act (RIPA). For those out of the loop, RIPA, basically an anti-terrorist law, has been used by local councils to monitor dog fouling, watch constituents who leave their waste bins out too early or too late, and follow children home from school to discover where they live. The government is ‘amending’ this with its new Protection of Freedoms Bill currently going through Parliament. But…
The Government has forgotten to do any thing about section 80 of RIPA which says that RIPA is permissive legislation. This point was explained more fully by the Investigatory Powers Tribunal in the case of C v The Police (Case No: IPT/03/32/H 14th November 2006 http://www.ipt-uk.com/default.asp?sectionID=17):
“Although RIPA provides a framework for obtaining internal authorisations of directed surveillance (and other forms of surveillance), there is no general prohibition in RIPA against conducting directed surveillance without RIPA authorisation…”
Changes to RIPA – Will they have the desired effect?
QED, Slog; but I suggest that we’re not even waiting for the implosion.
Isn’t this wonderful? Google, never one to miss an advertising opportunity, advertises ‘Spam Swiss Pie’ in my Spam folder.
Strictly speaking, of course, they’ve got it wrong (although it could be part of the joke): it should be SPAM not spam. It’s a genuine recipe using the SPAM meat product, reproduced here from recipesource.com.
Marnix Dekker, one of the authors of the ENISA report on Appstore Security, has responded to my post in its comments (Appstore security: a new report from ENISA) and I would like to thank him for doing so. It’s worth reading, and I reproduce it here in full:
As one of the authors, allow me to briefly reply to your comments.
First of all thank you for reviewing the paper, I appreciate the feedback. Rants can be very refreshing.
It is true that the lines of defense are not in anyway controversial and may seem obvious. We felt that there was the need to outline the different defenses that can be used, as most of the app stores and platforms are not very explicit about these defenses. This is confusing for consumers.
Allow me to comment on your criticism of the killswitch. I would like to note that we do not exclude that there are other (than military) settings where a killswitch is unwanted. Bare in mind that most of the users do not want to keep malware on their device. We even mention that an optout where appropriate should be offered.
About jails: We are not saying that jailbreaking should be illegal, or that consumers should have no means of using alternative appstores… only that this should not be made so easy as to allow drive-by download attacks (email+link, genuine looking appstore, install approval, click, infected).
Your alternative proposal, to hold appstores liable for software vulnerabilities, is really a legal solution. I think it is a very interesting subject, but (big disclaimer) I am not a legal expert:
Some issues with this:
- It would be easy to set up a rogue appstore, run it from some obscure country, fill it with some infected apps. It would also be relatively easy to trick users into installing from there. Your solution, to simply find a suspect, and a court to fine, sounds to me a bit complicated. Just think of all the extradition procedures, harmonisation of laws, etc. that would be needed. Let’s ignore rogue appstores in the sequel.
- If I look at other platforms/software I do not see many consumers being granted compensation by courts, nor do I see many software vendors being fined for selling/distributing flawed software. Now this could change in the future, but I think we should address security in the meantime as well.
- Secondly, judges usually start fining people when it is clear they have been negligent or had malicious intent. That requires some kind of definition/agreement of what are best practices and sufficient measures/defences.
- Another issue with liability is – I think – the following: Imagine the opensourcing of software to continue. Android, Linux, Openoffice, etc, are example of this trend: A couple of volunteers decide to solve a problem (text editing say) by writing some software routines (say openmoko)… they publish them free of charge and they disclaim that you should only use this software at your own risk. Would you think it is fair to still fine them for flaws? What I am trying to say is that there are numerous examples of free opensource software/apps/platforms, and that we still need to address security there as well. Do you agree that the liability solution would only work for commercial software/platforms? In that case, what do we do about the rest?
Looking forward to discuss with you – software liability is a fascination topic